]>
Commit | Line | Data |
---|---|---|
ef7eaa4c | 1 | =pod |
625c781d | 2 | {- OpenSSL::safe::output_do_not_edit_headers(); -} |
9fcb9702 | 3 | |
ef7eaa4c DSH |
4 | =head1 NAME |
5 | ||
b6b66573 | 6 | openssl-dhparam - DH parameter manipulation and generation |
ef7eaa4c DSH |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
41918458 | 10 | B<openssl dhparam> |
169394d4 | 11 | [B<-help>] |
e8769719 RS |
12 | [B<-inform> B<DER>|B<PEM>] |
13 | [B<-outform> B<DER>|B<PEM>] | |
41918458 BM |
14 | [B<-in> I<filename>] |
15 | [B<-out> I<filename>] | |
16 | [B<-dsaparam>] | |
fc1d88f0 | 17 | [B<-check>] |
ef7eaa4c DSH |
18 | [B<-noout>] |
19 | [B<-text>] | |
a414fd67 PP |
20 | [B<-verbose>] |
21 | [B<-quiet>] | |
09483c58 | 22 | [B<-2>] |
a38c878c | 23 | [B<-3>] |
09483c58 | 24 | [B<-5>] |
d55e4487 | 25 | {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} |
6bd4e3f2 | 26 | {- $OpenSSL::safe::opt_provider_synopsis -} |
41918458 | 27 | [I<numbits>] |
ef7eaa4c DSH |
28 | |
29 | =head1 DESCRIPTION | |
30 | ||
31 | This command is used to manipulate DH parameter files. | |
32 | ||
1127754e RS |
33 | See L<openssl-genpkey(1)/EXAMPLES> for examples on how to generate |
34 | a key using a named safe prime group without generating intermediate | |
35 | parameters. | |
36 | ||
ef7eaa4c DSH |
37 | =head1 OPTIONS |
38 | ||
39 | =over 4 | |
40 | ||
169394d4 MR |
41 | =item B<-help> |
42 | ||
43 | Print out a usage message. | |
44 | ||
777182a0 | 45 | =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> |
ef7eaa4c | 46 | |
777182a0 RS |
47 | The input format and output format; the default is B<PEM>. |
48 | The object is compatible with the PKCS#3 B<DHparameter> structure. | |
46949153 | 49 | See L<openssl-format-options(1)> for details. |
ef7eaa4c | 50 | |
41918458 | 51 | =item B<-in> I<filename> |
ef7eaa4c DSH |
52 | |
53 | This specifies the input filename to read parameters from or standard input if | |
54 | this option is not specified. | |
55 | ||
41918458 | 56 | =item B<-out> I<filename> |
ef7eaa4c DSH |
57 | |
58 | This specifies the output filename parameters to. Standard output is used | |
59 | if this option is not present. The output filename should B<not> be the same | |
60 | as the input filename. | |
61 | ||
41918458 BM |
62 | =item B<-dsaparam> |
63 | ||
64 | If this option is used, DSA rather than DH parameters are read or created; | |
65 | they are converted to DH format. Otherwise, "strong" primes (such | |
66 | that (p-1)/2 is also prime) will be used for DH parameter generation. | |
67 | ||
68 | DH parameter generation with the B<-dsaparam> option is much faster, | |
69 | and the recommended exponent length is shorter, which makes DH key | |
70 | exchange more efficient. Beware that with such DSA-style DH | |
71 | parameters, a fresh DH key should be created for each use to | |
72 | avoid small-subgroup attacks that may be possible otherwise. | |
73 | ||
fc1d88f0 RS |
74 | =item B<-check> |
75 | ||
eeb21772 MC |
76 | Performs numerous checks to see if the supplied parameters are valid and |
77 | displays a warning if not. | |
fc1d88f0 | 78 | |
a38c878c | 79 | =item B<-2>, B<-3>, B<-5> |
09483c58 | 80 | |
a38c878c | 81 | The generator to use, either 2, 3 or 5. If present then the |
b5a379aa | 82 | input file is ignored and parameters are generated instead. If not |
2f0ea936 | 83 | present but I<numbits> is present, parameters are generated with the |
b5a379aa | 84 | default generator 2. |
09483c58 | 85 | |
41918458 | 86 | =item I<numbits> |
09483c58 | 87 | |
c4de074e | 88 | This option specifies that a parameter set should be generated of size |
b5a379aa EK |
89 | I<numbits>. It must be the last option. If this option is present then |
90 | the input file is ignored and parameters are generated instead. If | |
6de1fe90 | 91 | this option is not present but a generator (B<-2>, B<-3> or B<-5>) is |
b5a379aa | 92 | present, parameters are generated with a default length of 2048 bits. |
6de1fe90 | 93 | The minimim length is 512 bits. The maximum length is 10000 bits. |
09483c58 | 94 | |
ef7eaa4c DSH |
95 | =item B<-noout> |
96 | ||
c4de074e | 97 | This option inhibits the output of the encoded version of the parameters. |
ef7eaa4c DSH |
98 | |
99 | =item B<-text> | |
100 | ||
c4de074e | 101 | This option prints out the DH parameters in human readable form. |
ef7eaa4c | 102 | |
018aaeb4 | 103 | {- $OpenSSL::safe::opt_engine_item -} |
bfa35550 | 104 | |
9fcb9702 RS |
105 | {- $OpenSSL::safe::opt_r_item -} |
106 | ||
6bd4e3f2 P |
107 | {- $OpenSSL::safe::opt_provider_item -} |
108 | ||
a414fd67 PP |
109 | =item B<-verbose> |
110 | ||
111 | This option enables the output of progress messages, which is handy when | |
112 | running commands interactively that may take a long time to execute. | |
113 | ||
114 | =item B<-quiet> | |
115 | ||
116 | This option suppresses the output of progress messages, which may be | |
117 | undesirable in batch scripts or pipelines. | |
118 | ||
ef7eaa4c DSH |
119 | =back |
120 | ||
121 | =head1 NOTES | |
122 | ||
fadb57e5 RS |
123 | This command replaces the B<dh> and B<gendh> commands of previous |
124 | releases. | |
125 | ||
ef7eaa4c DSH |
126 | =head1 SEE ALSO |
127 | ||
b6b66573 | 128 | L<openssl(1)>, |
1ddf2594 | 129 | L<openssl-pkeyparam(1)>, |
1127754e RS |
130 | L<openssl-dsaparam(1)>, |
131 | L<openssl-genpkey(1)>. | |
ef7eaa4c | 132 | |
1ddf2594 P |
133 | =head1 HISTORY |
134 | ||
ee825284 | 135 | The B<-engine> option was deprecated in OpenSSL 3.0. |
1ddf2594 | 136 | |
1696b890 RS |
137 | The B<-C> option was removed in OpenSSL 3.0. |
138 | ||
e2f92610 RS |
139 | =head1 COPYRIGHT |
140 | ||
fecb3aae | 141 | Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 142 | |
449040b4 | 143 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
144 | this file except in compliance with the License. You can obtain a copy |
145 | in the file LICENSE in the source distribution or at | |
146 | L<https://www.openssl.org/source/license.html>. | |
147 | ||
148 | =cut |